Free Base64 Encoder & Decoder — Convert Text to Base64 Online
Table of Contents
If you have worked with APIs, email systems, or web development, you have encountered Base64. It appears in authorization headers, data URIs, JWT tokens, email attachments, and configuration files. It looks like random characters — SGVsbG8gV29ybGQ= — but it is actually a systematic encoding of the text "Hello World."
Our free Base64 encoder and decoder converts text to Base64 and back instantly. Paste encoded text to decode it, or paste plain text to encode it. Everything runs in your browser — no data is sent to any server. This matters when you are decoding API tokens, authorization headers, or any data that might contain credentials.
What Is Base64 and Why Does It Exist?
Base64 is a binary-to-text encoding scheme defined in RFC 4648. It converts any binary data — text, images, files — into a string of 64 printable ASCII characters: A-Z, a-z, 0-9, +, and /, with = used for padding.
It was created to solve a practical problem: many transport protocols only support text. Email (SMTP), HTML, JSON, XML, and URLs were designed to carry text, not raw binary data. If you try to send a JPEG through an email body or include binary data in a JSON payload, the binary bytes will corrupt because the transport layer interprets them as control characters.
Base64 solves this by converting binary data into safe, printable characters that survive any text-based transport without corruption. It has been used since the early internet — the MIME email standard (1996) was one of the first major adopters.
The "64" comes from the alphabet size: 2^6 = 64 characters. Each Base64 character represents 6 bits of data, compared to 8 bits per byte. This means Base64 output is always about 33% larger than the input — three bytes of data become four Base64 characters.
How Base64 Encoding Works
The algorithm is straightforward once you understand the bit math:
- Take 3 bytes of input (24 bits total)
- Split into 4 groups of 6 bits
- Map each 6-bit value to a character in the Base64 alphabet (A=0, B=1, ... Z=25, a=26, ... z=51, 0=52, ... 9=61, +=62, /=63)
- If the input is not a multiple of 3 bytes, pad the output with
=characters
For example, encoding "Hi":
- "H" = 72, "i" = 105 in ASCII
- Binary: 01001000 01101001 (16 bits, padded to 18: 010010 000110 100100)
- 6-bit groups: 18, 6, 36 + padding
- Base64:
SGk=
You do not need to do this math yourself — that is what the tool is for. But understanding the process explains why Base64 always produces output that is 4/3 the original size, and why encoded strings often end with one or two = signs.
Encoding vs. Encryption — They Are Not the Same
This is the single most important thing to understand about Base64: it is not encryption. It provides zero security. Anyone can decode Base64 — no key, no password, no secret required. Encoding tools like Base64Online.org, Base64Decode.org, and our tool can all decode the same string identically.
Encoding transforms data into a different format for transport. Encryption transforms data to prevent unauthorized reading. Here is the distinction:
| Property | Base64 (Encoding) | AES/RSA (Encryption) |
|---|---|---|
| Purpose | Safe data transport | Data confidentiality |
| Reversible by anyone? | Yes — no key needed | No — requires the key |
| Security | None | Strong (with proper key management) |
| Output size | ~33% larger | Varies by algorithm |
Real-world consequence: HTTP Basic Authentication sends your username and password as Base64. This means your credentials are trivially decodable by anyone who intercepts the request. That is why Basic Auth must always be used over HTTPS — the TLS encryption protects the Base64-encoded credentials in transit.
Sell Custom Apparel — We Handle Printing & Free ShippingWhen to Use Base64 (and When Not To)
Good Use Cases
- Data URIs in HTML/CSS: Embed small images directly in your code as
data:image/png;base64,...to eliminate an HTTP request. Best for icons under 5KB. - Email attachments (MIME): Every email attachment you have ever sent was Base64 encoded. The MIME standard requires it.
- JSON API payloads: Include binary data (like file uploads) in JSON by Base64 encoding it. JSON only supports text, so binary data must be encoded.
- HTTP Basic Auth: The Authorization header uses Base64:
Authorization: Basic dXNlcjpwYXNz(wheredXNlcjpwYXNzdecodes to "user:pass"). - Storing binary in text databases: Some databases and config files only support text. Base64 lets you store binary data safely.
Bad Use Cases
- Large file transfer: The 33% size overhead makes Base64 inefficient for large files. Use binary transfer instead.
- Security: Never use Base64 to "hide" passwords, tokens, or sensitive data. It is not encryption.
- Large images on web pages: Data URIs for images over 10KB hurt performance because they cannot be cached separately and bloat your HTML.
Data URIs — Embedding Images in HTML and CSS
One of the most common uses of Base64 in web development is creating data URIs. Instead of linking to an external image file, you embed the image data directly in your HTML or CSS:
<img src="data:image/png;base64,iVBORw0KGgo...">
When to use data URIs:
- Small icons and logos under 5KB — eliminates an HTTP request
- Background images in CSS for critical above-the-fold content
- Email HTML templates where external images might be blocked
- Single-file HTML documents that need to be self-contained
When NOT to use data URIs:
- Images over 10KB — the 33% size increase and inability to cache separately makes external files more efficient
- Images used on multiple pages — an external file is cached once, a data URI is re-downloaded with every page load
- Responsive images — you cannot use
srcsetor<picture>with data URIs
Base64 in API Authentication
If you build or consume APIs, you encounter Base64 in authentication headers constantly.
HTTP Basic Auth: The most common usage. Your username and password are combined as username:password, Base64 encoded, and sent in the header. Most API testing tools like Postman handle this automatically, but when debugging auth failures you often need to manually decode the header to verify the credentials are correct.
API keys: Some services Base64 encode their API keys as an obfuscation layer. Stripe, Twilio, and SendGrid all use Base64 in different parts of their auth flow. When debugging "401 Unauthorized" errors, decoding the authorization header is step one.
OAuth tokens: Access tokens and refresh tokens are often Base64 encoded strings. JWTs specifically use URL-safe Base64 for their header and payload sections.
URL-Safe Base64 Explained
Standard Base64 uses + and / in its alphabet. Both characters have special meaning in URLs: + represents a space, and / is a path separator. If you put standard Base64 in a URL, it breaks.
URL-safe Base64 (also called Base64url) replaces:
+with-(hyphen)/with_(underscore)- Padding
=is often omitted
This variant is defined in RFC 4648 Section 5. JWTs use it exclusively. If you are decoding a JWT token and getting errors, check whether you are using standard Base64 or URL-safe Base64 — they are not interchangeable.
Encode or Decode Base64 Now
Instant Base64 encoding and decoding. Free, private, no signup.
Open Base64 ToolFrequently Asked Questions
What is Base64 encoding?
Base64 is a binary-to-text encoding scheme that converts binary data into a set of 64 printable ASCII characters (A-Z, a-z, 0-9, +, /). It is used to safely transmit binary data through text-only channels like email, URLs, and JSON payloads. The encoded output is about 33% larger than the original data.
Is Base64 encoding the same as encryption?
No. Base64 is encoding, not encryption. Anyone can decode Base64 — there is no key or password involved. It is a reversible transformation for data transport, not data security. Never use Base64 to "protect" sensitive information like passwords or API keys. Use proper encryption (AES, RSA) for security.
When should I use Base64 encoding?
Use Base64 for embedding images in HTML/CSS (data URIs), sending binary data in JSON APIs, encoding email attachments (MIME), including binary data in XML, and encoding authentication credentials in HTTP Basic Auth headers. Do not use it for large files (it adds 33% overhead) or for security purposes.
What is URL-safe Base64?
Standard Base64 uses + and / characters, which have special meaning in URLs. URL-safe Base64 replaces + with - and / with _ so the encoded string can be safely included in URLs and query parameters without additional encoding. JWTs use URL-safe Base64 for this reason.
Why does Base64 make data about 33% larger?
Base64 encodes every 3 bytes of input into 4 ASCII characters. Three bytes equals 24 bits, which is split into four 6-bit groups (2^6 = 64 possible characters). So the output is always 4/3 the size of the input — a 33% increase. A 100KB image becomes about 133KB when Base64 encoded.
Can I Base64 encode files like images and PDFs?
Yes. Any file can be Base64 encoded since all files are ultimately binary data. For images, the result is a data URI you can embed directly in HTML or CSS. For other files, the result is a Base64 string that can be included in JSON payloads or API requests. Keep in mind the 33% size increase.